Skip to main content

How to Use Powershell to Find Non-System Service Accounts

By May 1, 2013November 13th, 2020Blog

In many companies, systems administrators have setup user accounts for services to run under. These services run on systems and the accounts are quickly forgotten until something changes and the passwords for these accounts need to be changed. Then comes the task of finding where the account is used.

Having been faced with this, I wrote a simple PowerShell script that will connect to your Active Directory, find your servers and then tell you which services on those servers are running with a service account.

This script does have the prerequisite that you install the Quest AD Cmdlets. You can download them from here: https://www.oneidentity.com/products/active-roles/activeroles-server.aspx.

NOTE: While this script doesn’t modify anything, it is not recommended to run this against your production environment without testing it first against a lab.

######################################################################

#

# Get-Service Accounts

# Written by Adam Ball

# Version 2.0

#

######################################################################

#Verify that the Quest AD Cmdlets are loaded

If ( ( Get-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue) -eq $null ){

Add-PSSnapin Quest.ActiveRoles.ADManagement

}

# Get the list of servers from Active Directory

$servers = get-qadcomputer | where { $_.OSName -match “Server”} | sort Name

# Set the live computers array

$livecomputers = @()

# Get Credentials for connecting to servers as a Domain Admin

$cred = Get-Credential

# Check each server to make sure it is up.

foreach ($x in $servers) {

$up = Test-Connection -Count 1 -ComputerName $x.Name -ErrorAction SilentlyContinue

if ( $up -ne $null){ $livecomputers += $x.name }

}

# Main Function – Using WMI, check each service and find any service that is using a non-standard account

foreach ($machine in $livecomputers){Write-Output “Machine – $machine”

gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne “LocalSystem”}|where {$_.StartName -ne “NT AUTHORITYLocalService”} | where {$_.StartName -ne “NT AUTHORITYNetworkService”} | `

where {$_.StartName -ne “Local System”}|where {$_.StartName -ne “NT AUTHORITYLocal Service”} |where {$_.StartName -ne “NT AUTHORITYNetwork Service”}|ft Name,StartName }

Adam Ball, PEI

3 Comments

  • I receive an error when running the script:

    PS C:Temp> .testps.ps1
    The string starting:
    At C:Temptestps.ps1:24 char:437
    + foreach ($machine in $livecomputers){ Write-Output “Machine – $machine” gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne “LocalSystem”} | where {$_.StartName -ne “NT AUTHORITYLocalService”} | where {$_.StartName -ne “NT A
    UTHORITYNetworkService”} | where {$_.StartName -ne “Local System”} | where {$_.StartName -ne “NT AUTHORITYLocal Service”} | where {$_.StartName -ne “NT AUTHORITYNetwork Service <<<< "} | ft Name,StartName }
    is missing the terminator: ".
    At C:Temptestps.ps1:24 char:461
    + foreach ($machine in $livecomputers){ Write-Output "Machine – $machine" gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne "LocalSystem"} | where {$_.StartName -ne "NT AUTHORITYLocalService"} | where {$_.StartName -ne "NT A
    UTHORITYNetworkService"} | where {$_.StartName -ne "Local System"} | where {$_.StartName -ne "NT AUTHORITYLocal Service"} | where {$_.StartName -ne "NT AUTHORITYNetwork Service"} | ft Name,StartName } <<<<
    + CategoryInfo : ParserError: (} | ft Name,StartName }:String) [], ParseException
    + FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

  • Todd voelcker says:

    How can this script be modified to output to a file?

  • Nitin Gupta says:

    use below script to send output to text file:

    foreach ($machine in $livecomputers){Write-Output “Machine – $machine”

    $r +=(gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne “LocalSystem”}|where {$_.StartName -ne “NT AUTHORITYLocalService”} | where {$_.StartName -ne “NT AUTHORITYNetworkService”} | `
    where {$_.StartName -ne “Local System”}|where {$_.StartName -ne “NT AUTHORITYLocal Service”} |where {$_.StartName -ne “NT AUTHORITYNetwork Service”}|ft Name,StartName) }

    $r | Out-File c:\scripts\test.txt

Leave a Reply